Office of Information Technology

Cybersecurity Incident — Canvas

by Office of Information Technology May 7, 2026

Decorative Cybersecurity Banner

Update 5/26/2026

Instructure has continued posting updates on its Security Incident Update & FAQs page, including that they have shared additional information with customers. PSU has received that information, which includes technical details about the type of data fields that were compromised. This technical information is consistent with Instructure’s public disclosures and does not include new, meaningful information about the data itself or impacted records. PSU will continue closely monitoring information from Instructure and will share additional updates when relevant information becomes available.

Previous Update 5/12/2026
Instructure has shared additional information on its Security Incident Update & FAQs page, including that they have reached an agreement with the unauthorized actor involved in this incident. As part of that agreement, Instructure shared that:

  • The data was returned to them
  • They received digital confirmation of data destruction
  • They were informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise
  • The agreement covers all impacted Instructure customers
  • Individual customers are advised not to engage with the unauthorized actor if contacted

Note: PSU is not able to independently verify the information shared by Instructure.

Original Message

Portland State University was notified of a cybersecurity incident involving Instructure, the company that provides our Canvas online learning management system. PSU is one of many institutions nationwide that were potentially impacted.

The Instructure Incident Update indicates that potentially exposed information consists of certain user data such as names, email addresses, student ID numbers and messages among users. OIT is monitoring the situation very closely and will share additional, relevant information with the PSU community as it becomes available.

Here are a few important facts we want to share:

  • There is no indication that passwords, dates of birth, government identification numbers or financial information were compromised.
  • No Portland State University systems were compromised. This incident was entirely isolated to Instructure’s own corporate systems.
  • According to Instructure, they quickly detected the unauthorized access and eliminated the attacker from their network.
  • Canvas and all other PSU systems remain fully functional and are safe to continue using.

While no action is required from PSU faculty, staff, or students regarding the Instructure incident at this time, please be aware that attackers may use compromised data from this incident to target you with phishing emails in the future. OIT strongly recommends remaining vigilant through practices such as always verifying the source of an email before responding or following links, using complex and unique passwords on all of your accounts and using two-factor authentication.

Thank you for your patience as we wait for further updates from Instructure, the parent company of Canvas.
 

Return to blog